unzip is a program widely used for the distribution of
multiple files concatenated/compacted (a file commonly known
as an "archive").

A vulnerability has been found in the way unzip extracts files
with invalid characters between two '.' (dot) characters in
their path/names. These characters are filtered and result in
a ".." sequence (indicating the parent directory). By exploiting
this vulnerability, an attacker can overwrite arbitrary files
if the user unpacking such an archive has sufficient filesystem
permissions to do so.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2003-0282 to this issue.

The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.

8. Acknowledgements

SCO would like to thank Ben Laurie who found that the original patch
to fix this issue missed a case where the path component included
a quoted slash. These updated packages contain a new patch that
corrects this issue.
______________________________________________________________________________